Creating EFS file systems - Amazon Elastic File System
Required IAM permissions for creating file systemsConfiguration options

Creating EFS file systems

Following, you can learn how to create an Amazon EFS file system by using the AWS Management Console and the AWS CLI.

Required IAM permissions for creating file systems

To create EFS resources, such as a file system and access points, you must have AWS Identity and Access Management (IAM) permissions for the corresponding API operation and resource.

Create IAM users and grant them permissions for Amazon EFS actions with user policies. You can also use roles to grant cross-account permissions. Amazon Elastic File System also uses an IAM service-linked role that includes permissions required to call other AWS services on your behalf. For more information about managing permissions for API operations, see Identity and access management for Amazon EFS.

Configuration options for file systems

You can create a file system by using the Amazon EFS console or by using the AWS Command Line Interface (AWS CLI). You can also create file systems programmatically by using AWS SDKs or the Amazon EFS API directly. If you're using the Amazon EFS API or an AWS SDK, you can use the CreateFileSystem EFS API action to create file system policies.

When creating an Amazon EFS file system by using the custom create flow in the console or the AWS CLI, you can choose settings for the following file system features and configuration options.

File system type

The file system type determines the availability and durability with which an Amazon EFS file system stores data within an AWS Region. You have the following choices for your file system type:

  • Choose Regional to create a file system that stores data and metadata redundantly across all Availability Zones within an AWS Region. You can also create mount targets in each Availability Zone in the AWS Region. Regional offers the highest levels of availability and durability.

  • Choose One Zone to create a file system that stores data and metadata redundantly within a single Availability Zone. File systems that use One Zone file system type can have only a single mount target. This mount target must be located in the same Availability Zone in which the file system is created.

    Note

    One Zone file systems are available to only certain Availability Zones. For a table that lists the Availability Zones in which you can use One Zone file systems, see Supported Availability Zones for One Zone file systems.

Automatic backups

Automatic backups are always enabled by default when you create a file system by using the console. When you use the CLI or API to create a file system, automatic backups are enabled by default only when you are creating file systems that are using One Zone file systems. For more information, see Managing automatic backups of EFS file systems.

Lifecycle policies

Lifecycle management uses lifecycle policies to automatically move files into and out of the lower-cost Infrequent Access (IA) storage class based on access patterns. When you create a file system by using the AWS Management Console, the file system's lifecycle policy is configured with the following default settings:

  • Transition into IA set to 30 days since last access.

  • TransitionToArchive set to 90 days since last access.

  • Transition into Standard set to None.

When you create a file system by using the AWS CLI, Amazon EFS API, or AWS SDKs, you cannot set a lifecycle policy at the same time. You must wait until the file system is created, and then use the PutLifecycleConfiguration API operation to update the lifecycle policy. For more information, see EFS storage classes and Managing storage lifecycle.

Encryption

You can enable encryption if data at rest when creating a file system. If you enable encryption for your file system, all data and metadata stored on it are encrypted. Once you create an EFS file system, you cannot change its encryption setting. This means that you cannot modify an unencrypted file system to make it encrypted. Instead, you need to create a new, encrypted file system. For more information about Amazon EFS encryption, see Encrypting data in Amazon EFS.

To create the file system mount targets in your VPC, you must specify VPC subnets. The console pre-populates the list of VPCs in your account that are in the selected AWS Region. First, you select your VPC, and then the console lists the Availability Zones in the VPC. For each Availability Zone, you can select a subnet from the list, or use the default subnet if it exists. After you select a subnet, you can either specify an available IP address in the subnet or let Amazon EFS choose an address automatically.

Throughput modes

There are three throughput modes to choose from:

  • Elastic (Recommended) – Provides throughput that scales up and down automatically in real time, to meet your workload’s performance needs.

    Note

    Elastic throughput is available only for file systems that have the General Purpose performance mode.

  • Provisioned – Provides the level of throughput you specify, independent of the file system's size.

  • Bursting – Provides throughput that scales with the amount of data in Standard storage.

For more information, see Throughput modes.

Note

Additional charges are associated with using Elastic and Provisioned throughput. For more information, see Amazon EFS pricing.

Performance modes

When creating a file system, you also choose a performance mode. There are two modes to choose from—General Purpose and Max I/O.

  • General Purpose mode has the lowest per-operation latency and is recommended for all file systems.

  • Max I/O is a previous generation performance type that is designed for highly parallelized workloads that can tolerate higher latencies than the General Purpose mode. Max I/O mode is not supported for One Zone file systems or file systems that use Elastic throughput.

Important

Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems.

For more information, see Performance modes.

In this step, use the Amazon EFS console to create an Amazon EFS file system that has the recommended settings. If you want to create a file system with a customized configuration, see Custom using the console.

To quick create an Amazon EFS file system that has the recommended settings

  1. Sign in to the AWS Management Console and open the Amazon EFS console at https://console.aws.amazon.com/efs/.

  2. Choose Create file system to open the Create file system dialog box.

  3. (Optional) Enter a Name for your file system.

  4. For Virtual Private Cloud (VPC), choose your VPC, or keep it set to your default VPC.

  5. Choose Create to create a file system that uses the following service recommended settings:

    • Automatic backups enabled. For more information, see Backing up EFS file systems.

    • Mount targets configured with the following settings:

      • Created in each Availability Zone in the AWS Region in which the file system is created.

      • Located in the default subnets of the VPC you selected.

      • Using the VPC's default security group – You can manage security groups after the file system is the created.

      For more information, see Managing mount targets.

    • Regional file system type – For more information, see EFS file system types.

    • General Purpose performance – For more information, see Performance modes.

    • Elastic throughput – For more information, see Throughput modes.

    • Encryption of data at rest enabled using your default key for Amazon EFS (aws/elasticfilesystem) – For more information, see Encrypting data at rest.

    • Lifecycle management – Amazon EFS creates the file system with the following lifecycle policies:

      • Transition into IA set to 30 days since last access.

      • TransitionToArchive set to 90 days since last access.

      • Transition into Standard set to None.

      For more information, see Managing storage lifecycle.

    After you create the file system, you can customize the file system's settings with the exception of availability and durability, encryption, and performance mode.

    The File systems page appears with a banner across the top showing the status of the file system you created. A link to access the file system details page appears in the banner when the file system becomes available.

    For more information about file system status, see Understanding file system status.

This section describes the process of using the Amazon EFS console to create an EFS file system with customized settings instead of using the service-recommended settings. For more information about creating a file system by using the recommended settings, see Quick create using the console.

Creating an EFS file system with custom settings by using the console is a four-step process:

  • Step 1 – Configure general file system settings, including the storage class and throughput mode.

  • Step 2 – Configure file system network settings, including the virtual private cloud (VPC) and mount targets. For each mount target, set the Availability Zone, subnet, IP address, and security groups.

  • Step 3 – (Optional) Create a file system policy to control NFS client access to the file system.

  • Step 4 – Review the file system settings, make any changes, and then create the file system.

Step 1: Configure file system settings

  1. Sign in to the AWS Management Console and open the Amazon EFS console at https://console.aws.amazon.com/efs/.

  2. Choose Create file system to open the Create file system dialog box.

  3. Choose Customize to create a customized file system instead of creating a file system by using the service-recommended settings. The File system settings page opens.

  4. For General settings, do the following.

    1. (Optional) Enter a Name for the file system.

    2. For File system type, choose an availability option:

      • Choose Regional to create a file system that stores file system data and metadata redundantly across all Availability Zones within an AWS Region. Regional offers the highest levels of availability and durability.

      • Choose One Zone to create a file system that stores file system data and metadata redundantly within a single Availability Zone. If you choose One Zone, choose the Availability Zone that you want the file system created in, or keep the default value. For more information, see EFS storage classes.

    3. Automatic backups are turned on by default. You can turn off automatic backups by clearing the check box. For more information, see Backing up EFS file systems.

    4. For Lifecycle management, change the lifecycle policies, if necessary.

      • Transition into IA – Select when to transition files into the Infrequent Access (IA) storage class, based on the time since they were last accessed in Standard storage.

      • Transition into Archive – Select when to transition files into the Archive storage class, based on the time since they were last accessed in Standard storage.

      • Transition into Standard – Select whether to transition the file system to the storage class.

        For more information about lifecycle policies, see Managing storage lifecycle.

    5. For Encryption, encryption of data at rest is enabled by default. Amazon EFS uses your AWS Key Management Service (AWS KMS) EFS service key (aws/elasticfilesystem) by default. To choose a different KMS key to use for encryption, expand Customize encryption settings and choose a key from the list. Or, enter a KMS key ID or Amazon Resource Name (ARN) for the KMS key that you want to use.

      If you need to create a new key, choose Create an AWS KMS key to launch the AWS KMS console and create a new key.

      You can turn off encryption of data at rest by clearing the check box.

      You cannot change the encryption setting after the file system is created. For more information, see Encrypting data in Amazon EFS.

  5. For Performance settings, do the following:

    1. For Throughput mode, the Elastic mode is selected by default.

      • To use provisioned throughput, choose Provisioned, and, in Provisioned Throughput (MiB/s), enter the amount of throughput to provision for file system requests. The amount of Maximum Read Throughput is displayed at three times the amount of the throughput that you enter.

      • To use bursting throughput, choose Bursting.

      Amazon EFS file systems meter read requests at one-third the rate of other requests. After you enter the throughput mode, an estimate of the monthly cost for the file system is shown. You can change the throughput mode after the file system becomes available.

      For more information about choosing the correct throughput mode for your performance needs, see Encrypting data in Amazon EFS.

    2. For Performance mode, the default is General Purpose. To change the performance mode, expand Additional settings, and then choose Max I/O.

      You cannot change the performance mode after the file system becomes available. For more information, see Performance modes.

      Important

      Due to the higher per-operation latencies with Max I/O, we recommend using General Purpose performance mode for all file systems.

  6. (Optional) Add tag key-value pairs to your file system.

  7. Choose Next to configure network access for the file system.

Step 2: Configure network access

In Step 2, you configure the file system's network settings, including the VPC and mount targets.

  1. Choose the Virtual Private Cloud (VPC) where you want EC2 instances to connect to your file system. For more information, see Managing mount targets.

  2. For Mount targets, you create one or more mount targets for your file system. For each mount target, set the following properties:

    • Availability Zone – By default, a mount target is configured in each Availability Zone in an AWS Region. If you don't want a mount target in a particular Availability Zone, choose Remove to delete the mount target for that zone. Create a mount target in every Availability Zone that you plan to access your file system from – there is no cost to do so.

    • Subnet ID – Choose from the available subnets in an Availability Zone. The default subnet is preselected.

    • IP Address – By default, Amazon EFS chooses the IP address automatically from the available addresses in the subnet. Or, you can enter a specific IP address that's in the subnet. Although mount targets have a single IP address, they are redundant, highly available network resources.

    • Security groups – You can specify one or more security groups for the mount target. For more information, see Using VPC security groups for Amazon EC2 instances and mount targets.

      To add another security group, or to change the security group, choose Choose security groups and add another security group from the list. If you don't want to use the default security group, you can delete it. For more information, see Creating security groups.

  3. Choose Add mount target to create a mount target for an Availability Zone that doesn't have one. If a mount target is configured for each Availability Zone, this choice is not available.

  4. Choose Next to set the file system policy.

Step 3: Create a file system policy (optional)

Optionally, you can create a file system policy for your file system. An EFS file system policy is an IAM resource policy that you use to control NFS client access to the file system. For more information, see Using IAM to control file system data access.

  1. In Policy options, you can choose any combination of the available preconfigured policies:

    • Prevent root access by default

    • Enforce read-only access by default

    • Enforce in-transit encryption for all clients

  2. Use the Policy editor to customize a preconfigured policy or to create your own policy. When you choose one of the preconfigured policies, the JSON policy definition appears in the policy editor. You can edit the JSON to create a policy of your choice. To undo your changes, choose Clear.

    The preconfigured policies become available once again in Policy options.

  3. Choose Next to review and create the file system.

Step 4: Review and create

  1. Review each of the file system configuration groups. You can make changes to each group at this time by choosing Edit.

  2. Choose Create to create your file system and return to the File systems page.

    A banner across the top shows that the new file system is being created. A link to access the new file system details page appears in the banner when the file system becomes available.

When you're using the AWS CLI, you create these resources in order. First, you create a file system. Then, you can create mount targets and any additional optional tags for the file system by using corresponding AWS CLI commands.

The following examples use adminuser for the --profile parameter values. You must use an appropriate user profile to provide your credentials. For information, see Prerequisites to use the AWS CLI in the AWS Command Line Interface User Guide.

  • To create an encrypted file system with automatic backups enabled, use the Amazon EFS create-file-system CLI command (the corresponding operation is CreateFileSystem), as shown following.

    aws efs create-file-system \
--creation-token creation-token \
--encrypted \
--backup \
--performance-mode generalPurpose \
--throughput-mode elastic \
--region aws-region \
--tags Key=key,Value=value Key=key1,Value=value1 \
--profile adminuser

    For example, the following create-file-system command creates a file system using Elastic throughput in the us-west-2 AWS Region. The command specifies MyFirstFS as the creation token. For a list of the AWS Regions where you can create an Amazon EFS file system, see Amazon EFS endpoints and quotas in the Amazon Web Services General Reference.

    aws efs create-file-system \
--creation-token MyFirstFS \
--backup \
--encrypted \
--performance-mode generalPurpose \
--throughput-mode elastic \
--region us-west-2 \
--tags Key=Name,Value="Test File System" Key=developer,Value=rhoward \
--profile adminuser

    After successfully creating the file system, Amazon EFS returns the file system description as JSON, as shown in the following example.

    {
    "OwnerId": "123456789abcd",
    "CreationToken": "MyFirstFS",
    "Encrypted": true,
    "FileSystemId": "fs-c7a0456e",
    "CreationTime": 1422823614.0,
    "LifeCycleState": "creating",
    "Name": "Test File System",
    "NumberOfMountTargets": 0,
    "SizeInBytes": {
        "Value": 6144,
        "ValueInIA": 0,
        "ValueInStandard": 6144
        "ValueInArchive": 0
    },
    "PerformanceMode": "generalPurpose",
    "ThroughputMode": "elastic",
    "Tags": [ 
      { 
         "Key": "Name",
         "Value": "Test File System"
      }
   ]
}

  • The following example creates a file system that uses Bursting throughput in the us-west-2a Availability Zone by using the availability-zone-name property.

    aws efs create-file-system \
--creation-token MyFirstFS \
--availability-zone-name us-west-2a \
--backup \
--encrypted \
--performance-mode generalPurpose \
--throughput-mode bursting \
--region us-west-2 \
--tags Key=Name,Value="Test File System" Key=developer,Value=rhoward \
--profile adminuser

    After successfully creating the file system, Amazon EFS returns the file system description as JSON, as shown in the following example.

    {
    "AvailabilityZoneId": "usw-az1",
    "AvailabilityZoneName": "us-west-2a",
    "OwnerId": "123456789abcd",
    "CreationToken": "MyFirstFS",
    "Encrypted": true,
    "FileSystemId": "fs-c7a0456e",
    "CreationTime": 1422823614.0,
    "LifeCycleState": "creating",
    "Name": "Test File System",
    "NumberOfMountTargets": 0,
    "SizeInBytes": {
        "Value": 6144,
        "ValueInIA": 0,
        "ValueInStandard": 6144
        "ValueInArchive": 0
    },
    "PerformanceMode": "generalPurpose",
    "ThroughputMode": "bursting",
    "Tags": [ 
      { 
         "Key": "Name",
         "Value": "Test File System"
      }
   ]
}

    Amazon EFS also provides the describe-file-systems CLI command (the corresponding API operation is DescribeFileSystems), which you can use to retrieve a list of file systems in your account, as shown following.

    aws efs describe-file-systems \
--region aws-region \
--profile adminuser

    Amazon EFS returns a list of the file systems in your AWS account created in the specified Region.